Appstore下載的App是蘋果加密過的, 可執行文件套上了一層保護殼. class-dump
無法作用於加密過的App。所以,要想獲取頭文件,首先得破解加密的可執行文件,俗稱”砸殼”.
dumpdecrypted 就是砸殼工具,需要自行編譯。
1、下載工具
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ git clone https://github.com/s
tefanesser/dumpdecrypted
Cloning into 'dumpdecrypted'...
remote: Counting objects: 31, done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 31
Unpacking objects: 100% (31/31), done.
Checking connectivity... done.
2、編譯
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ cd dumpdecrypted/
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
2015-12-23 15:44:16.429 xcodebuild[9345:206961] [MT] DVTPlugInManager: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for KSImageNamed.ideplugin (com.ksuther.KSImageNamed) not present
2015-12-23 15:44:16.490 xcodebuild[9345:206961] [MT] PluginLoading: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for plug-in at path '~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/CodePilot3.xcplugin' not present in DVTPlugInCompatibilityUUIDs
2015-12-23 15:44:16.490 xcodebuild[9345:206961] [MT] PluginLoading: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for plug-in at path '~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/ClangFormat.xcplugin' not present in DVTPlugInCompatibilityUUID
..........省略大部分log
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ ls
Makefile dumpdecrypted.c dumpdecrypted.o
README dumpdecrypted.dylib
最後生成了 dumpdecrypted.dylib
文件. 這個就是等會需要用到的砸殼文件。 以後都能重複使用了,無須重新編譯。
3、定位需要砸殼的可執行文件。
appstore裏面的App一般位於/var/mobile/Containers/Bundle/Application/xxx
下面
這裏有一個小技巧:就是用 ps -e
命令找到所有進程,手機只開一個App,所以含有 /var/mobile
路徑的就是可執行文件的路徑.
這裏拿肯德基的官方app做例子,可以看到 KFC
關鍵字,所以這個路徑是正確的。
didi:~ root# ps -e | grep var
2351 ?? 0:20.04 /var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND
2360 ttys000 0:00.01 grep var
4、找到Doucument目錄位置
進入目錄下面,使用上一節介紹的cycript工具
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app root# cycript -p KFC_BRAND
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents/"
5、將dumpdecrypted.dylib拷貝到Document目錄下面
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ scp dumpdecrypted.dylib root@192.168.31.209:/var/mobile/Applications/F2842AA9-F
082-4EA1-8FAD-97BBAAA84D8F/Documents/dumpdecrypted.dylib
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
6、開始砸殼
進入Document目錄下面,執行 DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib
相關的命令.
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ ssh root@192.168.31.209
didi:~ root# cd /var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents/
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# ls
BIStorage Backups IDatabaseHelper TCSdkConfig.plist dumpdecrypted.dylib imageFileCache.dat tencent_analysis_qc.db
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /va
r/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x68a08(from 0x68000) = a08
[+] Found encrypted data at address 00004000 of length 4620288 bytes - type 1.
[+] Opening /private/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening KFC_BRAND.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a08
[+] Closing original file
[+] Closing dump file
會生成app砸殼後的文件xx.decrypted. 這裏就是 KFC_BRAND.decrypted
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# ls
BIStorage IDatabaseHelper TCSdkConfig.plist imageFileCache.dat
Backups KFC_BRAND.decrypted dumpdecrypted.dylib tencent_analysis_qc.db
然後就能用 class-dump
、 IDA
工具了.
流程還是比較簡單的、跟着步驟一步步來。
爲什麼要放在Document目錄下面?
沙盒意外的大多數文件沒有寫權限, dumpdecrypted.dylib
要寫一個decrypted文件, 它是運行在跟商店app中的,需要與商店裏面的app權限相同,所以寫操作必須發生在有寫權限的路徑下才能成功。
獲取頭文件
檢查一下砸殼後的文件是否能獲取到頭文件。
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ /Users/liuchendi/Desktop/class-dump -H /Users/liuchendi/Desktop/逆向/KFC_BRAND.
decrypted -o head
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ cd head/
liuchendi@lovelyddtekiMacBook-Pro head$ ls
ABNewPersonViewControllerDelegate-Protocol.h MTAWXOPasteboard.h
ABPeoplePickerNavigationControllerDelegate-Protocol.h MTAWXOReachability.h
ABPersonViewControllerDelegate-Protocol.h MTAWXOSessionEnv.h
AMapViewController.h MTAWXOStore.h
APAutoRotateImageView.h MTAWXOStoreEvent.h
APHTTPRequestOperation.h MTAWXOTestSpeedEvent.h
APIBase.h MTAWXOUser.h
...........省略大部分